19 Minutes to Escalation: Russian Hackers Move the Fastest

New data from CrowdStrike's incident investigations in 2018 uncover just how quickly nation-state hackers from Russia, North Korea, China, and Iran pivot from patient zero in a target organization.

It takes Russian nation-state hackers just shy of 19 minutes to spread beyond their initial victims in an organization's network - yet another sign of how brazen Russia's nation-state hacking machine has become.

CrowdStrike gleaned this attack-escalation rate from some 30,0000-plus cyberattack incidents it investigated in 2018. North Korea followed Russia at a distant second, at around two hours and 20 minutes, to move laterally; followed by China, around four hours; and Iran, at around five hours and nine minutes.

"This validated what we've seen and believed - that the Russians were better [at lateral movement]," says Dmitri Alperovitch, co-founder and CTO of CrowdStrike. "We really weren't sure how much better," and their rapid escalation rate came as a bit of a surprise, he says.

Cybercriminals overall are slowest at lateral movement, with an average of nine hours and 42 minutes to move from patient zero to another part of the victim organization. The overall average time for all attackers was more than four-and-a-half hours, CrowdStrike found.

Russia's speedy infiltration of organizations versus other nation-states like China - which overall was the most active of all nation states in hacking in 2018 - reflects how Russia's cyber operations have evolved dramatically over the past few years. Russia wasn't always so brazen: The shift became painfully obvious during the 2016 US presidential election with its aggressive doxing and hacking and other malicious online activity.

"One of the definitive characteristics of Russia is that it's willing to go fast and break things" without caring about getting identified or outed, notes John Bambenek, director of cybersecurity research at ThreatStop. "They behave in atypical ways for an intel agency [in cases]. They get a beachhead and keep moving."

It's often easier to attribute attacks to Russian hacking teams because they move so quickly and are more likely to make mistakes that out or catch them in their tracks, he says. "Their mindset is to go fast and break things ... and they are still getting results," Bambenek says.

Even if they are outed, they rarely face consequences given the lack of an extradition agreement between the US and Russia.

Russia shifted from cagey to brazen around the fall of 2014, according to Kevin Mandia, CEO of FireEye, who explained the transformation in an interview with Dark Reading after the 2016 election. "Suddenly, they [Russian state actors] didn't go away when we responded" to their attacks, he said. Historically, Russian attackers would disappear as soon as they were rooted out by investigators: "The Russian rules of engagement were when we started a new investigation, they evaporated [and] just went way."

Those days are long gone, experts say.

Jennifer Ayers, vice president of OverWatch and Security Response at CrowdStrike, says attackers overall are getting faster at infiltrating and invading their targets' networks. Russia's relative speediness, in part, has to do with its abuse of Web servers that, for example, haven't been hardened, she says.

"In many cases, they are using common malware and techniques like phishing email campaigns and BEC [business email compromise]. They are using Web servers on the Net that have not been hardened, so it lets them in a faster time move laterally from entry point to the next level," Ayers explains. Organizations, in turn, must lock down those weakest links and speed up their response rates, according to Ayers.

ChinaIn contrast, China operates more slowly and deliberately, underscored by its more than four hours to get beyond its initial victim in a targeted organization. "They do [the initial attack], step back, get more data, and plan their next steps," taking time, for example, to create kernel modules for specific machines, Threat Stop's Bambenek says. "That takes time."

China last year began reupping its hacking for economic and competitive gain after a temporary reprieve following the 2015 pact between President Obama and China President Xi Jinping not to conduct cyber spying attacks for economic gain. "China is back in economic espionage [attacks] - all of this is taking place across diverse industries," Alperovitch says.

China was technically the "biggest story of 2018," he says.

So far in 2019, China continues to be most active nation-state in cyberattacks, notes Benjamin Read, senior manager for cyber espionage analysis at FireEye. While FireEye hasn't measured the lateral movement speeds of various nation-states in its investigations, he says, it's logical that Russia would be the most efficient at escalation.

"It makes sense with their being the most technical of adversaries," Read says. For now, Russian activity mainly is focused on European targets, he notes.

Russia, not surprisingly, is expected to ratchet up its targeting of the US in the run-up to the 2020 US presidential election.

Now What?With the average dwell time of an attacker at six months, according to Verizon's Data Breach Investigations Report (DBIR), just how can defenders apply this so-called "breakout time" of various nation-state actors?

CrowdStrike recommends applying those breakout times to benchmark the time it takes them to detect, investigate, and fix or remediate systems after an attack.

They also can tune their security tools and processes, notes Ayers, setting rules that take into consideration tight time frames. You can set the tools to determine in a matter of minutes whether to take action on a specific threat - blocking a hash if it's a piece of malware, for example. The tools also can determine whether a threat should be escalated to the incident response team for a deeper investigation, or whether passwords should be reset, she notes.

Speeding up response is key, Bambenek notes. "I care if they are marching through my infrastructure, but once they start stealing data, then I have a real problem," he says.

Meanwhile, CrowdStrike last year also spotted China, Iran, and Russia upping their targeting of telecommunications providers. Alperovitch says it's all about control of the Internet: "Just as previous wars fought over telegraph lines and radar and radio waves, this is the new battlefield - every nation wants to get an advantage," he says. "Telecommunications targets hold so much valuable information."

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.

It was found that dropbear before version 2013.59 with GSSAPI leaks whether given username is valid or invalid. When an invalid username is given, the GSSAPI authentication failure was incorrectly counted towards the maximum allowed number of password attempts.

** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of st...

** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue.